Revert "Get client secrets via dynamic refs"

This reverts commit eb4258d.

The last build failed with

SSM Secure reference is not supported in:
[AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret]

Apparently "Cloudformation doesn't support referencing SecureString ssm
params. This has been a known issue for awhile and we aren't sure
if/when support will come."

aws/aws-cdk#6786 (comment)
aws/aws-cdk#6819

infra/bin/madliberation.ts

@@ -58,7 +58,7 @@ import { GitHubOidcRoleStacks } from "./GitHubOIDCRoleStacks";
   const ssmParameterData: any = {};
   let valueHash;
   getParametersResponse?.Parameters?.forEach(
-    (p: { Name: string; Value: string, Type: string }) => {
+    (p: { Name: string; Value: string }) => {
       console.log("(v3) Received parameter named:");
       console.log(p.Name);
       const SHORT_PREFIX_LENGTH = 6;
@@ -71,15 +71,7 @@ import { GitHubOidcRoleStacks } from "./GitHubOIDCRoleStacks";
       console.log("(v3) value hash:");
       console.log(valueHash);
       console.log("**************");
-      if (
-        p.Type === "SecureString"
-      ) {
-        // We'll access it via dynamic reference, to keep the secret value out
-        // of the template.
-        ssmParameterData[p.Name] = { name: p.Name, SecureString: true };
-      } else {
-        ssmParameterData[p.Name] = p.Value;
-      }
+      ssmParameterData[p.Name] = p.Value;
     }
   );
   console.log("==================");

infra/lib/configureSocialIDPs.ts

@@ -1,7 +1,6 @@
-import { CfnDynamicReference, CfnDynamicReferenceService, SecretValue, Stack } from "aws-cdk-lib";
+import { Stack } from "aws-cdk-lib";
 import { MadLiberationWebappProps } from "./madliberation-webapp";
 import { aws_cognito as cognito } from "aws-cdk-lib";
-import { UserPoolIdentityProviderGoogle } from "aws-cdk-lib/aws-cognito";
 const configureSocialIDPs: (
   stack: Stack,
   props: MadLiberationWebappProps,
@@ -22,7 +21,7 @@ const configureSocialIDPs: (
     const userPoolIdentityProviderFacebook =
       new cognito.UserPoolIdentityProviderFacebook(stack, "Facebook", {
         clientId: facebookAppId,
-        clientSecret: "", // update via escape hatch
+        clientSecret: facebookAppSecret,
         userPool,
         scopes: ["public_profile", "email"],
         /*
@@ -39,63 +38,33 @@ const configureSocialIDPs: (
           email: cognito.ProviderAttribute.FACEBOOK_EMAIL,
         },
       });
-    const cfnUserPoolIdentityProviderFacebook =
-      userPoolIdentityProviderFacebook.node.defaultChild as
-      cognito.CfnUserPoolIdentityProvider;
-    cfnUserPoolIdentityProviderFacebook.addPropertyOverride(
-      "ProviderDetails.client_secret",
-      new CfnDynamicReference(
-        CfnDynamicReferenceService.SSM_SECURE,
-        facebookAppSecret.name
-      )
-    );
     userPool.registerIdentityProvider(userPoolIdentityProviderFacebook);
   }
   if (amazonClientId && amazonClientSecret) {
     const userPoolIdentityProviderAmazon =
       new cognito.UserPoolIdentityProviderAmazon(stack, "Amazon", {
         clientId: amazonClientId,
-        clientSecret: "", // update via escape hatch
+        clientSecret: amazonClientSecret,
         userPool,
         attributeMapping: {
           nickname: cognito.ProviderAttribute.AMAZON_NAME,
           email: cognito.ProviderAttribute.AMAZON_EMAIL,
         },
       });
-    const cfnUserPoolIdentityProviderAmazon =
-      userPoolIdentityProviderAmazon.node.defaultChild as
-      cognito.CfnUserPoolIdentityProvider;
-    cfnUserPoolIdentityProviderAmazon.addPropertyOverride(
-      "ProviderDetails.client_secret",
-      new CfnDynamicReference(
-        CfnDynamicReferenceService.SSM_SECURE,
-        amazonClientSecret.name
-      )
-    );
     userPool.registerIdentityProvider(userPoolIdentityProviderAmazon);
   }
   if (googleClientId && googleClientSecret) {
     const userPoolIdentityProviderGoogle =
       new cognito.UserPoolIdentityProviderGoogle(stack, "Google", {
         clientId: googleClientId,
-        clientSecretValue: new SecretValue(""),
+        clientSecret: googleClientSecret,
         userPool,
         scopes: ["profile", "email"],
         attributeMapping: {
           nickname: cognito.ProviderAttribute.GOOGLE_NAME,
           email: cognito.ProviderAttribute.GOOGLE_EMAIL,
         },
       });
-    const cfnUserPoolIdentityProviderGoogle =
-      userPoolIdentityProviderGoogle.node.defaultChild as
-      cognito.CfnUserPoolIdentityProvider;
-    cfnUserPoolIdentityProviderGoogle.addPropertyOverride(
-      "ProviderDetails.client_secret",
-      new CfnDynamicReference(
-        CfnDynamicReferenceService.SSM_SECURE,
-        googleClientSecret.name
-      )
-    );
     userPool.registerIdentityProvider(userPoolIdentityProviderGoogle);
   }
 };

infra/lib/madliberation-webapp.ts

@@ -35,11 +35,11 @@ export interface MadLiberationWebappProps extends StackProps {
   domainName?: string;
   zoneId?: string;
   facebookAppId?: string;
-  facebookAppSecret?: { name: string, SecureString: boolean };
+  facebookAppSecret?: string;
   amazonClientId?: string;
-  amazonClientSecret?: { name: string, SecureString: boolean };
+  amazonClientSecret?: string;
   googleClientId?: string;
-  googleClientSecret?: { name: string, SecureString: boolean };
+  googleClientSecret?: string;
 }
 
 export class MadliberationWebapp extends Stack {

infra/package.json

@@ -13,7 +13,6 @@
     "synth": "npx cdk synth --no-staging",
     "diff": "npx cdk diff",
     "deploy-webapp": "bash scripts/deploy-webapp.sh",
-    "synth-webapp": "bash scripts/synth-webapp.sh",
     "itest": "bash scripts/itest.sh",
     "smoke": "bash scripts/smoke.sh"
   },